Age | Commit message (Collapse) | Author |
|
Requested by brad@
|
|
|
|
splnet/IF_DEQUEUE/splx; ok various people
|
|
ok brad@, deraadt@
|
|
unicast reverse path forwarding (URPF) check drops packets coming in
on an interface other than that which holds the route back to the
packet's source address. this caused problems with routes bound to a
carp interface instead of the underlying interface. this diff
validates the underlying carpdev if the route is bound to a carp
interface.
from Pierre-Yves Ritschard (pyr at spootnik.org)
ok henning@
|
|
initialized, it might equal &iproute by chance, causing a panic
when rtfree() is then mistakenly called.
|
|
|
|
number, it can differ from the sequence number being tested (for packets
without payload), and both matter in explaining why a packet mismatched.
|
|
|
|
(s6_addr16[1] filled)
ok dhartmei
|
|
reuses IPv4 signature file (assuming that TCP code is shared among IPv4/v6).
mcbride ok.
|
|
ok otto@
|
|
P2P is commonly used in relation to peer to peer networks, PTP is used
in various protocols for layer 2 point to point links (ie., full
duplex ethernet links).
note that the newly added brconfig commands [-]p2p and [-]autop2p will
change to [-]ptp and [-]autoptp.
suggested by Andrew Thompson (thompsa@freebsd.org)
|
|
ifp0->if_link_state == LINK_STATE_UP to handle the new half/full
duplex link states. i forgot to commit these snippets before.
ok jsg@
|
|
ok canacar@
|
|
by Andrew Thompson (thompsa@freebsd.org). The local changes include
adoption to our bridge code, reduced stack usage and many other bits.
If stp is enabled, RSTP will now be used by default.
Thanks for help from Andrew.
This code has been in snaps for while now, commit encouraged by deraadt@
|
|
From: Genadijus Paleckis <lsd@nnt.lt>
but the really bad description of the diff made this way more complicated
then needed. pls plz, when sending in diffs, describe properly what they
do and why!
|
|
state, if known by the driver. this is required to check the full
duplex state without depending on the ifmedia ioctl which can't be
called in the kernel without process context.
ok henning@, brad@
|
|
an interface. Fixes a double free panic.
ok claudio@, looks fine henning@
|
|
phase 2 traffic. this allows policy-based filtering of encrypted and
unencrypted ipsec traffic with pf(4). see ipsec.conf(5) and
isakmpd.conf(5) for details and examples.
this is work in progress and still needs some testing and feedback,
but it is safe to put it in now.
ok hshoexer@
|
|
ifp->if_link_state instead of calling the ifmedia ioctl. this is safe
in timeouts without process context and allows to use bridge stp with
usb ethernet devices now.
figured out and tested by Stuart Henderson, closes pr 5304.
|
|
diff from Berk D. Demir <bdd@mindcast.org>
ok henning dhartmei
|
|
we need to do so whenever we do have a (pf) tag != 0 on the state OR (that
part was missing) when rtableid on the rule is nonzero.
problem noticed by Andreas Lundin <lunde@dreamhosted.se> testing the
multiple routing tables enabling diff, ok mcbride
|
|
|
|
code factored out from if_addgroup(), previously a group always had to have
members. ok mpf mcbride
|
|
|
|
|
|
them being there.
diff & ok deraadt
|
|
from alexandre ratchov. ok claudio
|
|
|
|
|
|
without trying to free the (in that case nonexistant) tdb mbuf
found out the hard way by pedro
|
|
|
|
beeing created for now - much more work would be required to change that
input & ok ryan
|
|
it's "special" case in ether_input(). Based on similiar idea in FreeBSD.
ok brad
|
|
ok henning@ deraadt@ canacar@
|
|
be imported into pfctl. This is a precursor to separating ruleset parsing
from loading in pfctl, and tons of good things will come from it.
2 minor changes aside from cut-n-paste and #define portability magic:
- instead of defining the global pf_main_ruleset, define pf_main_anchor
(which contains the pf_main_ruleset)
- allow pf_find_or_create_ruleset() to return the pf_main_ruleset if it's
passed an empty anchor name.
ok henning dhartmei
|
|
|
|
logs go. ok mcbride
|
|
for now, only allow pflog0 to be created.
keep an array of ifps to the pflog interfaces with the unit # as index for
fast access.
if pflog0 does not exist, no logging is done (just like if it is down).
on machines without pf enabled, this makes the pflog0 interface go away,
on machines with pf, rc sets up pflog0 and starts pflogd, no change there.
idea old (pf2k4 or c2k5?), hacked at the hack.lu 2006 conference, ryan ok
|
|
success, not -1 on error. fix check in 2 cases. ok mpf mcbride
|
|
ok henning@ dhartmei@ deraadt@
|
|
the anchor, terminate ruleset evaluation when stepping out of the anchor.
This means that if you absolutely want the anchor to be terminal, you
probably want to use a 'block all' or 'pass all' rule at the start of the
anchor.
ok dhartmei@ henning@ deraadt@
|
|
|
|
ok frantzen, dhartmei, henning
|
|
for equality (ip_tos == x). for priority queue assignment, compare AND-wise
(ip_tos & IPTOS_LOWDELAY). this matters mostly for cases where the reserved
bits in ip_tos are used (RFC791, 1349) and more than a single bit is set.
from Steve Welham, closes PR5226 and PR5227.
|
|
numbers, reported by Raja Subramanian; ok henning@
|
|
as the resulting demotion counter value is in range. previously, we only
allowed +/- 1. ok mpf mcbride deraadt
|
|
and drop such bad packets. Also remove some redundant mallocs.
This fixes possible heap overflows when forming replys to such bad
packets as discovered by Martin Husemann and Pavel Cahyna.
reported by NetBSD, initial diff from markus@,
additional comments by claudio@, ok markus@
|
|
|